Friday, January 15, 2010

Selective Domain/Forest Trusts – episode I


Max, my buddy recently shared a concern he had in his organization (say Piglet Inc.,). They just acquired another company (say Ducklings Inc.,) and now they have trust relationship between the two ADs. He is paranoid about this level of trust due to the fact that the other domain/forest is not directly managed by his IT department. A very useful feature in such a scenario is “Selective Trusts”. This feature is inherent in Windows 2003 and can be used as long the forest functional level is set to windows 2003, in the trusting domain. Ofcourse, if the trust is a two-way transitive trust, then both the forest should be at the “windows 2003” functional level.

A simple netdom command will put his concerns to rest and get him to sleep better.

on the trusting domain, enter the below netdom command:

Netdom trust <trustingDomainName> /domain:<trustedDomainName> /SelectiveAuth:Yes
/usero:<domainadministratoraccount> /passwordo:<domainadministratoraccountpassword>


Netdom trust / /selectiveAuth:Yes
/usero:pigletadmin /passwordo:oinkoink

To disable Selective Trust, just issue the same command with /SelectiveAuth:No

By doing this, you can pick and choose which users or groups get access to what resources or computers in your domain.

Let’s say for example, Scrooge from HR team in Duckling Inc., needs access a share on Piglet’s HR File server named “Porkie”, under normal circumstances, Scrooge would try to access it using the below URL: \\Porkie\sharename, and as long as he had access to the share, he could get in. And if “Authenticated Users” had access to the share, then he wouldn’t even need any more access privileges, he would just get in.

But, with Selective Auth on, this would not work. There is a special Object access right “Allowed to Authenticate” that needs to be granted to Scrooge on the computer object “Porkie”, before he can get access to the resources.

How does this actually work in the background ???? Well that’s for episode II